These hardware devices can fail and take the key with them. Master keys aren't expendable like subkeys so it's always a good idea to have a paperkey backup. I worked on binary decoding for zbar to make them easy to decode with a laptop camera.
I don't have a script. I submitted patches to zbar and added instructions to the Arch Wiki once the updated version of zbar landed in the repositories.
Are you accessing from a corporate network where they are doing TLS interception? If so, the replacement certificate isn't stapled and Firefox is picking up on that because the site requires it.
Similar setup here. Even my ssh key is a subkey of my pgp key.
Pgp’s most valuable use case is still establishing a digital identity toehold. The PGP key that is used to sign the commit, is also used to SSH to git server, is also used to sign the code review comments, is also used to sign the build binaries.
I’m hoping some day there is website authentication integration via passkey or the like.
Digital identities are useful insofar as they're (1) binding, and (2) actually easy for others to verify, neither of which is particularly true for PGP (especially given the WoT/strong set's demise).
The closest thing to a binding identity in the PGP ecosystem is OpenPGP's "verifying keyserver," which issues a challenge to a submitted PGP key's claimed email address. But that isn't a very strong proof of identity, and it doesn't prevent anybody from claiming to be anybody else in the broader PGP ecosystem.
These days people tend to have multiple aspects to their identity that they keep separate. You probably want to have a Github identity separate from, say, a social media identity or, say, your legal identity. Verifying such identities is heavily contextual. So a system that lets you generate your own identities in a well standardized way is useful.
This. Because people have their personal identity, their work identity, maybe a corporate identity if they run a company. It's too complex a concept to codify into an Uber-identity.
Sure. But none of that requires or even particularly recommends PGP. In one sense it even discourages PGP, since PGP's "normal" identity devolution pattern is subkeys bound back to the top-level user key.
I do not use these hardware keys, but I can see a use for then since I bounce between Linux, NetBSD and OpenBSD depending on what I am doing for testing programs I develop at work.
I can assume Linux and a good chance FreeBSD will have no issues with this device. I am curious about the other *BSDs though.
My Yubikey 5 NFC rocks. Just works, does everything I want.
I ordered a Nitrokey 3C NFC 2 years ago, never heard from them until a week ago where they said they shipped it (I'll believe it when I receive it). I tried to contact their support once to kindly ask if I still existed in their database, they answered that I should read the blog in a rude way (which did not even answer my question).
They were claiming 2 years ago that they had many features (my understanding was "almost compares to Yubikey"), and I realized recently that it was not only not true, but in those 2 years they haven't reached feature parity (not even remotely).
So... feel free to order a Nitrokey to support them (I did, and my hope is that it will get better), but if you want something that works today, go for Yubikey.
The main limitation of the Yubikey is that the firmware is closed source and potentially even backdoored. Otherwise the construction and features of Yubikey are pretty good.
The Yubikey firmware is open but the problem is that you can't overwrite it anymore. They did this during the Yubikey NEO age, the first ones could still be updated. They say they did it to avoid authentication bypass attacks which makes sense but there should be other ways to do that. And the updatability keeps it current and also allows for verified builds.
About a year after they changed it though there was a huge vulnerability in the Yubikey where it failed to actually check the pincode making the security useless. Which proved locking the firmware was a bad idea IMO. They ended up having to replace tons of them which could have been updated. I was hoping they'd bring updatable firmware back but they didn't.
Yeah, the thought that Yubikey may not require PIN in some cases is scary. It’s like a GPG key without a password in home directory. Not only it will be useless, but actually harmful.
For such reasons, I have been searching for alternatives. It seems other products have other issues.
It is by far the most comprehensive guide on using a YubiKey as a SmartCard for storing GPG keys. I used this a few years ago and it helped clear up any confusion I had about getting the most out of my Yubikey 5 NFC.
While a nicely comprehensive guide for other topics, and similar to my use of a Yubikey, it looks like it's actually almost entirely separate from what this post is about: storing a PGP master key on a hardware key, separate from the subkeys (which are likely on a different hardware key), so that it can be more easily used to sign the PGP keys of other people, for web-of-trust purposes. Those topics don't seem to be considered at all in that guide, and are rather less common.
I think people should seriously consider using something like passphrase2pgp [0] in addition to a hardware key like this. That way you can have a brain key (hopefully generated with diceware or equivalent) to tie together day-to-day keys like this to a more permanent identity. I'm honestly surprised that strategy is not more widespread.
31 comments
[ 3.4 ms ] story [ 73.9 ms ] threadhttps://wiki.archlinux.org/title/Paperkey#Restore_the_secret...
It's just a simple pipeline:
Even 4096 bit RSA keys fit in binary QR codes. Ideal for easily restoring keys in a live Linux system and ensuring they are never written to disk.[2] - https://support.mozilla.org/en-US/questions/1149911
Pgp’s most valuable use case is still establishing a digital identity toehold. The PGP key that is used to sign the commit, is also used to SSH to git server, is also used to sign the code review comments, is also used to sign the build binaries.
I’m hoping some day there is website authentication integration via passkey or the like.
The closest thing to a binding identity in the PGP ecosystem is OpenPGP's "verifying keyserver," which issues a challenge to a submitted PGP key's claimed email address. But that isn't a very strong proof of identity, and it doesn't prevent anybody from claiming to be anybody else in the broader PGP ecosystem.
This is why Facebook has a real name policy for example.
With the move to federated systems in commercial hands (log in with Facebook, Google etc) this only becomes harder to escape.
I am quite knowledgeable about PGP but I have no idea what this means.
I can assume Linux and a good chance FreeBSD will have no issues with this device. I am curious about the other *BSDs though.
Nitro keys are semi open source. Other than that, any advantage?
I ordered a Nitrokey 3C NFC 2 years ago, never heard from them until a week ago where they said they shipped it (I'll believe it when I receive it). I tried to contact their support once to kindly ask if I still existed in their database, they answered that I should read the blog in a rude way (which did not even answer my question).
They were claiming 2 years ago that they had many features (my understanding was "almost compares to Yubikey"), and I realized recently that it was not only not true, but in those 2 years they haven't reached feature parity (not even remotely).
So... feel free to order a Nitrokey to support them (I did, and my hope is that it will get better), but if you want something that works today, go for Yubikey.
The main limitation of the Yubikey is that the firmware is closed source and potentially even backdoored. Otherwise the construction and features of Yubikey are pretty good.
About a year after they changed it though there was a huge vulnerability in the Yubikey where it failed to actually check the pincode making the security useless. Which proved locking the firmware was a bad idea IMO. They ended up having to replace tons of them which could have been updated. I was hoping they'd bring updatable firmware back but they didn't.
For such reasons, I have been searching for alternatives. It seems other products have other issues.
And Librem Key fully relies on FLOSS.
https://forums.puri.sm/t/librem-key-practical-usage-scenario...
Lacks FIDO, and curve 25519.
It is by far the most comprehensive guide on using a YubiKey as a SmartCard for storing GPG keys. I used this a few years ago and it helped clear up any confusion I had about getting the most out of my Yubikey 5 NFC.
[0] https://github.com/skeeto/passphrase2pgp